
Paths
Blue Team Tools
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a... Read more
What you will learn
- What the function of the tool is
- Where to get it
- How to use the tool to fill a gap in enterprise security
Pre-requisites
- Security fundamentals
- Ethical hacking fundamentals
- Security testing fundamentals
Introduction
The first course in this series discusses the use of open source, blue team tools to fill the gaps in your enterprise security, in turn, enable your information security organization to evolve their capabilities as fast as the threat actors you are defending against.
Blue Team Tools: Defense against Adversary Activity Using MITRE Techniques
19m
Description
Blue Teams have one of the most challenging jobs in the world, finding the bad actor needle in the mound of needles. Attacker techniques are continually evolving, and the threat surface and required data for analysis is constantly increasing. In this course, Blue Team Tools: Defense against Adversary Activity using MITRE Techniques, you'll cover how to utilize Blue Team Tools to protect, detect, and respond against targeted threat actor techniques in an enterprise environment. First, you'll learn the purpose and origin of Blue Team Tools and the functions that they fulfill in modern cybersecurity organizations. Next, you'll leverage MITRE ATT&CK and Shield to get a 360-degree view of attack scenarios and the data and capabilities you need to stop them. Finally, you'll analyze your organization's tooling gaps and how Blue Team Tools can fill them. When you're finished with this course, you'll have the skills and knowledge to leverage the Blue Team Tools skill path to enable your security organization to evolve their capabilities as fast as the threat actors you are defending against.
Table of contents
- Course Overview
- Blue Team Tool’s Vital Role in Enterprise Security
- Resources
Network Analysis
In this section, you will learn about the tools associated with network analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.
Network Analysis with Arkime
45m
Description
Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime, you’ll learn how to utilize Arkime to detect anomalous or malicious network traffic in an enterprise environment. First, you'll gain insight into how to detect common malware delivery patterns. Next, you’ll learn how to use Arkime to identify malware command and control. Finally, you’ll utilize the many features of Arkime to identify data exfiltration. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques using Arkime.
Table of contents
- Course Overview
- Identifying Initial Access, Command and Control, and Data Exfiltration with Arkime
- Resources
OS Analysis
In this section, you will learn about the tools associated with OS analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.
OS Analysis with HELK
29m
Description
Though many cyber attack techniques can be effectively and heuristically identified by analyzing the endpoint logs, there are surprisingly few capabilities that focus solely on parsing windows logs and OS data and providing a platform to perform advanced statistical analysis. In this course, OS Analysis with HELK, you’ll cover how to utilize Hunt ELK to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll see the gap that HELK fills with Windows event log analysis. Next, you'll explore how to operate the advanced hunt features provided by HELK. Finally, you’ll learn how to analyze a live dataset to hunt for adversary activity. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Kerberoasting T1208, Bits Jobs T1197, and indicator removal on hosts T1070 using HELK.
Table of contents
- Course Overview
- Using Windows Event Logs with HELK to Hunt for Advanced Adversary Activity
- Resources
OS Analysis with RegRipper
39m
Description
Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.
Table of contents
- Course Overview (Tool Introduction)
- Analyzing Windows Registry with RegRipper
- Resources
OS Analysis with Wazuh
36m
Description
Detecting process-level and file-level attacks can be challenging. Additionally, many tools are "alert factories" that don't have the ability to remediate in-progress attacks. Luckily, Wazuh solves these problems! In this course, OS Analysis with Wazuh, you'll cover how to utilize Wazuh to respond to data exfiltration in an enterprise environment. First, you'll create a rule to detect malicious filesystem operations. Next, you'll uncover a rootkit through Wazuh by using a Python script. Finally, you'll leverage Wazuh's Active Response functionality to automatically quarantine the host (and prevent it from exfiltrating data). In this course, you will simulate all attacks through Merlin (a popular C2 service) so we can emulate real-world scenarios! (No prior Merlin experience is needed). When you're finished with this course, you'll have the skills and knowledge to detect these techniques: Scheduled Task/Job (T1053), Hijack Execution Flow (T1574), and Exfiltration Over C2 Channel (T1041).
Table of contents
- Course Overview
- Detecting Process-level and File-level Attacks with Wazuh
- Resources
Infrastructure Analysis
In this section, you will learn about the tools associated with infrastructure analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.
Cloud Infrastructure Analysis with Scout Suite
29m
Description
It is impossible to manually identify all dangerous configurations, given how cloud services are exploding in numbers and complexity. In this course, Cloud Infrastructure Analysis with Scout Suite, you will gain the ability to identify cloud configuration issues with Scout Suite. First, you will learn how to create a vulnerable cloud environment. Next, you will discover how to install Scout Suite with minimal privileges. Finally, you will explore how to analyze the vulnerable cloud environment with Scout Suite. When you are finished with this course, you will have the skills and knowledge of Scout Suite needed to analyze cloud deployments for security issues.
Table of contents
- Course Overview
- Discovering Unsafe Cloud Configurations with Scout Suite
- Resources